Policy Steward: Vice President for Administration

Contents

To set up minimum criteria for computer access, controls and security
for University Computer and Network Resources, and to provide more detailed
guidance with regard to concepts embodied in Policies
AD20, AD23 and AD71.

Establishing permanent Committees as appropriate to advise him/her of appropriate security concerns, enhancements and technological progress in the field.

Disconnecting any Computer and Network Resource if that resource fails to meet physical or access security standards, or otherwise poses an unacceptable risk to the University's Computer and Network Resources. In particular, if a computer's security is compromised by faulty or compromised hardware or software, the Senior Director for Security Operations and Services or his/her designee will inform the security and/or technical contacts for the network of the problem. Those responsible for the computer must repair the faults as soon as possible or the computer will be disconnected until it can be verified that the faults have been repaired.

Requesting the removal of Account privileges for any system user on any University Computer and Network Resource if the individual is found to pose a substantial risk to the University's Computer and Network Resources. If the Account is not removed upon such a request, the computer or network resource upon which the Account resides may be disconnected.

Requesting termination of other services or uses of University Computer and Network Resources if such services or uses violate University computer and network security policies. If the services or uses are not terminated upon such a request, the computer or network resource(s) involved may be disconnected.

Establishing and directing the Penn State Computer Security Incident Response Team (Penn State CSIRT). Membership in the Penn State CSIRT will include experts in telecommunications and various operating systems that are in common use within the University. The Penn State CSIRT will aggressively investigate all attempts at system abuse and actively pursue abusers in order to protect the integrity of University Computer and Network Resources. The Senior Director of Security Operations and Services will ensure that an alternate is available from within the Penn State CSIRT membership to exercise the responsibilities of the Senior Director in the event a computer security emergency occurs in his/her absence.

Unit Liasons:

In conjunction with the Security Operations and Services Director, the
Unit Liaisons will establish and
monitor:

Unit compliance with the University’s Minimum Security Baseline, which can be found at http://sos.its.psu.edu/minimum-security-baseline.html. The Unit Liaison may request to the Security Operations and Services Senior Director the immediate removal of account privileges on networks that contain internal/controlled or restricted data as defined in Policy AD71, Data Categorization, for system users or information associates who have violated University computer and network security policies.

Deans and Administrative Officers:

In order to comply with Policies AD20 and AD71,
Deans and Administrative Officers, in conjunction with Unit Liaisons, must ensure that Colleges and Administrative
Units have established and implemented security policies specific to their
areas. They are similarly responsible for ensuring that the Minimum Security Baseline is implemented in the areas for which they are responsible. Moreover, system administrators within the Colleges and Administrative
Units must develop security procedures implementing these policies to include the Minimum Security Baseline. Other specifics may be included as long as
they do not counter elements included in this guideline, in Policies
AD20, AD23 and AD71,
or other University policies.

1. Minimum requirements regarding an "Account" (See
ADG01 for a definition of account, Captive
Account, and Group Account) are:

a. There should not be any guest accounts unless the account is a
captive account.

b. There should be no Group Accounts, unless specifically requested
in writing and authorized in writing by both the account owner and the
University representative officially designated by the Dean and Administrative
Officer in accordance with Policy AD20. For
Computer and Network Resources operated by Information Technology Services,
only the applicable Director may approve a Group Account.

c. The registered user of an account is responsible and liable for
all processes initiated from the account. In those rare instances where Group
accounts are authorized, all users of the account are jointly responsible and
liable.

2. System Administrators and managers of networks containing restricted data as defined by Policy AD71, Data Categorization, will provide connectivity for secondary distribution to other networks only after assuring the networks and devices comply with the Minimum Security Baseline.

3. The appropriate safeguards for institutional or personal computers or other devices that contain the categories of internal/controlled or restricted information as listed in Policy AD71, Data Categorization, which are listed in the Minimum Security Baseline.

FURTHER INFORMATION:

For questions, additional detail, or to request changes to this policy, please contact Security Operations and Services.

April 22, 2014 - Updated the RESPONSIBILITIES section to reflect current operations and responsibilities. The STANDARDS section has been renamed BASELINE SECURITY and revised to reflect current operations. Additionally, policy steward information has been added, in the event that there are questions or requests for changes to the policy.

Revision History (and effective dates):

August 23, 2005 - In the STANDARDS section, removal of the first line
which stated " The following minimum security standards apply to all Trusted
Networks and are recommended for all University Computer and Network
Resources." The intent of this section of the policy is that every network must follow these standards, not just Trusted Networks.